PEACHPIT: Large Botnet Attacks Ads, Infects Millions of Android and iOS Smartphones

Man

Professional
Messages
2,965
Reaction score
488
Points
83
Last October, cybercriminals managed to infect hundreds of thousands of Android and iOS devices using a botnet dubbed PEACHPIT. Their goal was to make money illegally by clicking on ads.

The PEACHPIT botnet is part of a larger operation by Chinese hackers codenamed BADBOX. The group also sells unbranded mobile and CTV devices with Triada malware on popular online stores and reseller sites.

“PEACHPIT was detected in 227 countries. It is assumed that this botnet could infect up to 121,000 Android devices and 159,000 iOS devices daily,” report analysts from the cybersecurity service HUMAN.

The devices were reportedly infected via 39 apps containing the malware code, with a total of over 15 million downloads. We previously wrote about malicious apps found on Google Play and the App Store, with 2 million installations.

Devices loaded with the BADBOX malware allowed botnet operators to steal sensitive user data, create local proxy exit nodes, and commit ad fraud through fake apps.

It is currently unknown how the Android devices were infected. According to experts, it is most likely that Chinese manufacturers supplied devices to countries with a built-in backdoor.

"The attackers also used compromised devices to create WhatsApp accounts by stealing one-time passwords. They also created Gmail accounts by bypassing standard bot protection filters, as the malware skillfully imitated the behavior of real users," the company said.

The first record of a new botnet targeting ad fraud was published in a report by Trend Micro in May 2023. At the time, they attributed its activity to the Lemon Group cybercriminal group they were tracking.

Human experts were able to identify about 200 different types of Android devices, including smartphones, tablets and CTVs, which showed signs of infection with the Badbox malware, indicating the widespread distribution of malware. It is noteworthy that applications designed to click on ads were freely available in the Apple App Store and Google Play Store.

Experts found that Android apps had a module responsible for creating hidden WebView components that sent requests in the background and displayed web pages with ads for subsequent clicking. In addition, they masked ad requests - supposedly they came from official apps. This method was already known - another cyber group had previously used it to distribute and carry out attacks of the VASTFLUX botnet.

At the time of the attack by cybersecurity specialists Human, Google and other companies on the central C2 servers of the botnet, including BADBOX, they had already been disabled by the attackers. Moreover, the cybercriminals launched an update of the malware that removed the modules that powered the PEACHPIT botnet. At the same time, experts assumed that the hackers were adjusting their tactics in an attempt to bypass the blocking systems.

According to numerous reports from Doctor Web and Check Point, pre-installed malware on Android devices is not a new phenomenon, dating back to at least 2016, and was mainly distributed through cheap smartphones and tablets.

"In order to remain undetected, the attackers obscured their tracks as much as possible throughout the entire attack chain, which indicates its high complexity," HUMAN said. "Anyone can accidentally buy a device with BADBOX, without even suspecting that it is fake. The issue of activating the malware was a matter of time."

And we remind you of the importance of installing antivirus programs on your devices. Up-to-date database updates will help prevent your device from being infected with malware.
 
Top